JWKS (well known) endpoint timing out after 60 seconds

Problem Statement

I have recently updated my applications to use the Auth0 JWKS endpoint for the JWT token verification. The process is working fine other than the frequent timeouts we are experiencing hitting the JWKS endpoint. I have both connect and read timeouts set to 60 seconds, which should be plenty, and the read operation timing out after 60 seconds. The request eventually succeeds but only after several attempts.

I have cached the JWKS response for 7 days, so we are not hitting the endpoint excessively. Can someone take a look at my account to work out what is causing the timeouts? Note that we are not experiencing timeouts for any other 3rd party endpoints, including Auth0, so I don’t think we have any underlying network issues.

For background, our applications are Spring-based Java applications deployed in AWS. We use Spring security and well-documented methods for decoding JWTs received from Auth0.

Solution

JWKS endpoint needs to be cached to avoid frequent calls to this endpoint. Also, whenever possible, we recommend prefetching the keys instead of waiting for the cache to expire. Prefetching can help avoid intermittent failures during the login flow due to the latency in this endpoint after the cache is invalidated.

For the Spring framework, in particular, you may check this GitHub issue that may help to prefetch the JWKS endpoint. Also, based on this comment this functionality may be available in nimbus-jose-jwt soon.